00. Profiling a Portfolio of Cybercriminal Email Addresses Using WhoisXML API's 
Historical WHOIS Search and Maltego - An Analysis 
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We've recently decided to map and research various domain registration made by well-known 
and established online cybercriminals where we took several hundred email known to belong to 
well-known cybercriminals and decided to cross-check them for related domain registrations 
using Maltego and WhoisXML API's vast and in-depth real-time and historical WHOIS records 
database. 


In this article we'll discuss in-depth the actual findings for this studuy where we took several 
hundred email addresses known to be owned and operated by known cybercriminals and 
checked them for related domain registrations and will actually provide actionable intelligence 
on on the online infrastructure of these newly discovered domains known to be managed and 
registered by known cybercriminals. 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 
domains domain registrations 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 
domain registrations 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 
domain registrations 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 
domain registrations 
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Sample screenshot of Maltego in combination with WhoisXML API's integration offering an 
in-depth peek inside a well-known portfolio of cybercriminal email addresses in terms of related 


Currently and historically registered domains registered by well-known cybercriminals 
currently include: 
discoverazerbaijan.az 
dnblinks.com 
zpburners.com 
berneckersigns.com 
rubiofamily.com 
briancallanan.com 
shiprisks.fr 
sergiomion.us 
azcity.net 

p8p.com 

sfvgroup.ge 
wah4m.com 

fpib.az 

climazone.az 


tibidabo.az 
sdmcneill.com 
sd-mcneill.com 
carloseslava.pro 
troop76.us 
miguel-huertas.net 
heled.net 
spyeye-trojan.com 
kellytoys4u.com 
utc.az 
vineandocean.com 
wineandocean.com 
soft.az 

jeyran.az 

jrun.az 

corepro.az 
rastite.com 
carbonoffset.gq 
anyad.is 
shadyscape.biz 
hilltoppk.com 
dotnetstreamer.net 
scoreglass.com 
armpure.com 
whopitch.com 
scoreschick.com 
hamegas39.com 
imamer63.com 
bottompride.com 
ultradoes.com 
copywinter.com 
hurryquick.com 
behindplace.com 
rollthose.com 
capitalprivates.com 
al-zamalek.net 
westernunion-web.com 
mike-waals.com 
winbtcdaily.com 
magetradestar.net 
abduldjalilz.com 
lumia2014.com 
www--mail-yahoo.com 
apps-mail-yahoo.com 


nabsikkim.org 
viplending.us 
climbinginsikkim.com 
epijobs.us 
accounts-mail-yahoo.com 
account-mail-yahoo.com 
usadisasterreliefcorps.us 
gewe.us 
cbb-mail-yahoo.com 
open-mail-yahoo.com 
mail-yahoo.com 
mg6-mail-yahoo.com 
gravywire.com 
freshtools.us 

katnito.com 
internationa1feed.com 
sgha11ous.com 
sidhhratha.com 
obitosus.com 
de1ongcompany.com 
sup1t.com 
gathixtools.com 
mylionjewel.com 
thehackcrack.com 
sikkimviklang.org 
paypal-instant.online 
trekkinginsikkim.info 
modernresidency.com 
abhmarket.com 
sikkimhomestayatdarap.com 
perfecitmoney.com 
dialsikkim.com 
ccvmarket.com 
sikkimcareers.com 
sikkimtourisminfo.com 
rumtekinfo.com 
hotelmisttreemountain.com 
good4host.com 
nayumaonline.com 
renewalvisa.com 
jayanthsystems.com 
943theshark.net 
budgethotelsinsikkim.com 
thesharkrocks.net 


srkw.net 
chinamediaconsulting.com 
hslung.com 
patroitfeed.com 
b1umenpack.com 
maxismoton.com 
gagathai.com 
securelly-marketing.com 
pjsmartair.com 
kaitIn-scheidel.com 
adebowale-harcker.net 
b4tibati.net 
ashraerp.com 
atlasjennate.com 
keybiscaynehardware.com 
kingging.com 
glambleclub.com 
faran-company.com 
givehaiti.com 
bodmaxs.com 
internalver.com 
dpa-payroll.net 
bodmaxs.net 
picook.com 
asperics.com 
zonabeat.com 
granazac.com 
quikinickspruckts.com 
myspanishtask.com 
vivezacatecas.com 
sexmo-vis-2012.com 
erovideo-mob.com 
concursoenloquecer.com 
forumi-ks.com 
free-progames.com 
vip-world-football.com 
kgc-gamepanel.com 
albania-autoliker.com 
news-game-everything.com 
leesphotosplus.com 
coopernickerson.com 
ericprivateloanfirm.com 
agoal.us 
hackanarchy.com 


img-ks.net 
gartmuu-host.com 
holyshOp.club 
spam-market.club 
richex.club 
hdporn247.com 
freshdown. info 
arttriton.website 
abodSatwa.com 
ngarko-al.com 
wicked-network.com 
1-4.co 
zaheer-abbas.com 
woodcontest.com 
clubids.com 
cityofpetaluma.net 
guitaraddict.net 
bristolcompanies.net 
afritec.net 

1better.net 
shortcut-adv.com 
rrkassociates.net 
pulsedesignstudio.com 
banas.us 
pulsedesignstudio.net 
planetbroker.us 
shortcut-adv.net 
craig-jensen.com 
thefirmament.us 
tabernaclebookshop.org 
3rmp.com 
citizensbnk-online.com 
onlinebanking-bankofamerica.com 
woori-america.com 
asd-asd-asd-asd.com 
one-asd-asd-asd-asd.com 
hong-leong.com 
asd-asd.com 
nightdanceclubs.com 
2-scp.com 
citizenfederalsl.com 
dominionlimiteds.com 
lajme-shqiponline.com 
polygropsgh.com 


lajme-shqiponline.net 
pyramidfcu-us.com 
sassiin.com 
onlinebarclaysbnk.com 
shayonacements.com 
astaire-partners.com 
neilhumphryservice.com 
royal1bank.info 
tdrestore.com 
rajakalom.net 
Itkrepsinis.com 
djeuro.us 
lithyimports.com 
xrumerforums.com 
alsbucketchallenge.com 
saemusic.com 
empireko.com 
albanianeditors.com 
aht-cr3w.com 
annonyh4ck.com 
ahtcr3w.com 
waridfranchisebannu.com 
news-al.net 
bannucommunication.com 
all-aboutgames.com 
h1nk.com 
bigentertainmentfinder.com 
realtywork.net 
allglobesales.com 
all-aboutgames.net 
worldpc-games.net 
amusementgamereal.com 
findallnow.net 
getallnow.net 
thenewcar.net 
beinhome.com 
strongbodys.net 
clichcservicecenter.com 
chaseon.us 
virtest2.com 
allaboutfreshoffers.com 
servicehomedtion.com 
xb-live.com 
wow-verification.com 


isbaku.net 

vbaku.net 
littlehairdressing.com 
federal-reservebnk.us 
izbaku.net 

izbaku.org 

vbaku.org 

isbaku.org 
ikedonbalokc.com 
olenimejoor.com 
olenimijoor.com 
webadminservernet.com 
dswarbrick.com 
ircarmy.com 
dascolawconsultant.com 
mohdazha.com 
virtest.com 
seguridadvenez.com 
applehalfprice.com 
remy90.com 
srnice.com 
canshop.us 
pptvpojie.com 
kb-fff.com 
o3jouba.net 
siwashe.us 
mzyuanye.com 
raybanoffoutlet.com 
oakleyoffoutlet.com 
cheapchinajerseyswholesale.org 
nfljerseyschinawholesale.org 
Icwkitchenware.com 
outxml.com 
mercantilvene.com 
berkshirefm.com 
radio-berkshire.com 
marinaardente.com 
antilllephone.com 
7grehov.net 
editorial.kz 
blurredbuzz.com 
yerd20.com 

drgrad.us 
ebusywireless.com 


soccerplus1.net 
albozzimages.com 
prospectoilandgas.net 
citibnkukonline.com 
donux.pw 
royalservicesltd.com 
mactlogistics.com 
prudentialexpressdelivery.com 
usexpressservice.com 
royaloilandgasinternational.com 
tippersexchange.com 
fmof-ng.com 
get-freemusic.com 
transcolimited.com 
myflowproduction.com 
actionsmap.com 
actionsoncloud.com 
plumper-plumper.com 
asm-auto.com 
ivankudashkin.com 
toggiwoods.com 
hosted.fun 

lingostar.kz 
vamdodoma-pavlodar.kz 
sibforum.online 
worldizt.xyz 
epistaffing.us 
dpexpservices.net 
projectlogisticsinternational.net 
ultgame.net 
mumadness.com 
mujex.com 
hamotz.com 
infectedream.net 
armandesign.net 
deal-serv.com 
elihaii.com 
dalil-ar.com 
raymOn.com 
ovh-proof.net 
chakibo.com 
h4lim.com 
yassin-challal.com 
team-sec.com 


aruitcity.net 
team-sec.net 
strategyoncloud.com 
redberryrealty.com 
futureoncloud.com 
sharedactions.com 
sharedstrategy.net 
autoclouds.com 
gamehosting.biz 
galhhh.com 
irhabbo.com 
cakeypaint.com 
ourhabbo.com 
irhabbo.net 
damnphp.net 
hungryhabbo.com 
habtropolis.com 
xenfun.com 
candmhotshotdelivery.info 
habbobabble.com 
boonfansite.com 
localvn.net 
habshout.net 
nhokpy.net 
12t2-pbc.com 
licenses-store.com 
biaobank.net 
umudimboy.com 
mhmedical.net 
pxjvbeats.com 
hackshqipalbaniacommunity.net 
karidulesalajkue.com 
silver-root.com 
my-msn-space.com 
priv8darkshop.com 
zyngacheaters.com 
magicsystem.info 
d-kiz.com 
giolanh.com 
vietcasher.com 
vnwsrv.us 
license-store.biz 
tqths.net 
festivaldesoasisdetozeur.org 


ifoasiens.org 
forum-oasiens.org 
rakib.org 
bathroomknowledge.com 
dentondonuts.com 
adelantoinsurance.com 
ghOstmarket.net 
greatthorworld.com 
libarteyreserve.com 
blockchane. info 
api-web0.com 
dp-vandal.com 
freshdump.cc 
api-web8.com 
bitcointoinvest.com 
api-web9.com 
supervpn.us 
api-web9.net 
onlineid-uk.net 
onlineid-uk.com 
id-eu.com 
api-web8.net 
id-eu.net 
ahggpanel.com 
hairbuyit.com 
rarestuff.net 
eaglegraph.com 
99funs.com 
virtuz-host.net 
profitnew.com 
profit-new.com 
filles¢4money.com 
shkupi.biz 
sylwesterwpolsce.com 
royalwebcam.xyz 
ptconfire.net 
shopccard.online 
play65-download.com 
adoffertslead.com 
ptchannels.com 
iptvbit.com 
xgeeksal.com 
Iml-inc.com 
scascacsa.net 


debit-crew.net 
timada.net 
iicicisign.org 
demsolng.com 
demsolng.net 
epbfi.bid 
doratex.com.ng 
samenerve.org 
chlenixblog.net 
dibanasyl.com 
tibumugqel.com 
gipupeceta.com 
platinumsol.com 
darwinperformance.com 
menazratlif.com 
9263.net 
standardcharteredvault.net 
topjobdirect.us 
spammercorner.com 
accountstore.us 
thepolelife.com 
imagesofdetroit.com 
milffarts.com 
doucheisloose.com 
fathusband.com 
virus-host.net 
mydickpicissick.com 
virus-host.info 
unpuntodesal.com 
tdgjdgdfg.com 
thebeautifulpublic.com 
utotyi.com 
michaelpaniagua.com 
akl-serv.com 
shallowbitches.com 
sdgsdhgsdf.com 
alabasterdisaster.com 
faokasd.com 
fantasycamgirls.com 
virus-host. biz 
check-pp.net 
eslamsweb.com 
dkstec.com 
dantech-leader.com 


bestbargainmobiles.com 
buysalebooks.com 
toptabletlaptop.com 
construcorpo.com 
buysalesoftwares.com 
nireti.com 

sufivpn.com 
miguelmerelli.com 
mfaizanlabs.net 
mabunar.com 
123movieshub.mn 
anandks.com 
fokaiiptv.com 
svsiptv.com 
kskiptvweb.com 
yasamgida78.com 
asd-asd-asd.com 
viviendasdonromualdo.com 
aylakarasoy.com 
digitalvast.com 
baba-stars.com 
chakerz.com 
4lsec.com 
girlfriendprank.us 
customer-accounts.com 
gateway2pk.com 
muslims4kingdom.com 
megacookies-up.com 
iglesiaevangelicadelprincipedepaz.com 
firstcitygroup-nig.com 
analog74.com 
adventureamigo.com 
dataigy.com 
azurecrop.com 
codetect.com 
babbleney.com 
amberhold.com 
azuretory.com 
babbleinero.com 
babblenote.com 
babbleloot.com 
car-ebay.com 
casualamigo.com 
adventurekin.com 


Sample malicious MD5s known to have phoned back to the domains registered by the 
cybercriminals: 
2a24a/7adf55264fee9e7bc85e606a8036F74b4d0c3d01afce6bbdc4a0d4aab8d 
ad1381a5aaefdc76bbec4ee8e4 0d06fee8403a00cd3ec71¢c17734e2fealf7c2b 
49f68ca08377 49 7ffdf3488b5d99396a3d8781352a00f43af4f29 1583cde5333 
7bc68aff0b3b38f28ef039b01d9381a697ef0000e3bI2924b876d0644786d19e 
f16c4168dd1bc38763a12a7489266c785b7b1 d9ff4b010375a1a0eab4d11055a 
17cc1c083662ce4568756332da34b87484f1 2c00ca86ec4fd0688b76c024e33f 
aefada96d052a4e19600c3715488fb481470a6a0dbc210780b6569959152feae 
2abd1e7f6682524bd8dd727febf39 1691 a28dfc567b824cd86107fcad6d73fe4 
3be27a5128e0c91d409ebacf8802cec2fa109301a806180a93992cf1 70f07553 
a8/afc988ef2464 1296b67 385af6d3354e9c8d7ca86b68ed99ae0c51b631 Yeef 
f76fdfee849477265455fecd235bec19965b8ec64983 1445bd90346670379446 
b96ce242ef559684036437bcee19ba91 Baa88eccaQbddb9256fda72dafl 7fb17 
5dbf20a5216ac8b4 1989f116613150be3df78b8c80d7b41ea5148fe6999 76 fbf 
824bef26cbd1682a113d78f8e7c1f50779439db8cebc814d5c676ecdc51 bcf06 
0889289d0d258a7eede2b/a83ec46c1 7b710eee390f9601f56382ddab2737 1d7 
69b16dcbe6b33462f32288744d8d8d7 7c96003931 8ddcae33a1e2fe89111433d 
dc07227ac2946ad5de3b02bced2c47f1 30086d5b2d7944a47a0a9501712e2b2b 
50b7c4a767ee30617 11830d6e75ff3c98b4 1 29b0ee6 16 1c9087d2fa0b503a5fb 
80a42c4e5d1b1cd36b16a564543c027276a6d6a04e6b6e3f130896ad29894 762 
8c06cde248080f2ea8cf881680c5ca1f72a7dbee2ad0e6630cfeG61 3a235bbe4a 
Oba56ae835fba57bb53edd87941 72c9a36ae7b9/dce6/eeaa4c96F7946c54479 


We'll continue monitoring these newly discovered domain registrations in terms of the bad guys 
registering related domains for fraudulent and malicious purposes using well-known and 
personal email addresses and post updates as soon as new developments take place. 


